Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it - POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list - accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user - including holders of low-privilege internal-user keys - could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.
Articles & Coverage 1
AnalysisAI
Remote command execution in LiteLLM proxy server versions 1.74.2 through 1.83.6 allows any authenticated user to execute arbitrary commands on the host system. Two MCP (Model Context Protocol) test endpoints accept stdio transport configurations including command, args, and env fields, then spawn the supplied command as a subprocess with proxy process privileges. Authentication with any valid API key, including low-privilege internal-user keys, bypasses intended PROXY_ADMIN role restrictions. Patch available in version 1.83.7. No CISA KEV listing or public exploit code identified at time of analysis, though EPSS scoring is not provided in available data.
Technical ContextAI
LiteLLM is an AI Gateway proxy server that provides OpenAI-compatible interfaces for various LLM APIs. The vulnerability affects MCP (Model Context Protocol) server testing functionality introduced in version 1.74.2. MCP uses stdio transport to communicate with external tools/servers, requiring command execution on the host. The POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list endpoints accept JSON configurations containing command, args, and env parameters for stdio transport. These endpoints lack proper authorization checks, validating only API key presence without verifying PROXY_ADMIN role membership. This represents CWE-77 (Command Injection) combined with an authorization bypass, where user-controlled input flows directly into subprocess.spawn() or equivalent system calls. The affected CPE is cpe:2.3:a:berriai:litellm:*:*:*:*:*:*:*:*, covering all deployment methods (pip package, Docker container).
RemediationAI
Upgrade to LiteLLM version 1.83.7 or later, which enforces PROXY_ADMIN role checks on both vulnerable endpoints. For pip installations, run 'pip install --upgrade litellm'. For Docker deployments, pull ghcr.io/berriai/litellm:v1.83.7-stable and verify image signature using cosign per vendor instructions at https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable. If immediate upgrade is not feasible, block POST requests to /mcp-rest/test/connection and /mcp-rest/test/tools/list at reverse proxy or API gateway level using URL path filtering. This workaround prevents exploitation but disables MCP server preview functionality. Additionally, audit all issued API keys and revoke unnecessary low-privilege internal-user keys to reduce attack surface. Review proxy process security context and consider running LiteLLM with reduced privileges or in isolated containers to limit blast radius. No additional code changes or configuration modifications required after upgrading to patched version.
SQL injection in LiteLLM proxy server versions 1.81.16 through 1.83.6 allows unauthenticated remote attackers to read an
BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. Rated critical s
Remote code execution in BerriAI LiteLLM (all versions through 2026-04-08) enables authenticated attackers to execute ar
BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on t
In berriai/litellm version v1.52.1, an issue in proxy_server.py causes the leakage of Langfuse API keys when an error oc
In berriai/litellm before version 1.44.12, the `litellm/litellm_core_utils/litellm_logging.py` file contains a vulnerabi
A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. Rated high severity (CVSS
An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the `/global/spend/logs` en
A code injection vulnerability exists in the berriai/litellm application, version 1.34.6, due to the use of unvalidated
berriai/litellm version 1.34.34 is vulnerable to improper access control in its team management functionality. Rated med
BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. Rated crit
Missing authentication in LiteLLM's SSO Debug Flow exposes the `json.dumps` output of the `ui_sso.py` management endpoin
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28507
GHSA-v4p8-mg3p-g94g